-
-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
curl: 7.82.0 -> 7.83.0 #170654
curl: 7.82.0 -> 7.83.0 #170654
Conversation
@ofborg eval |
@lovek323 Please clarify if you're still interested in maintaining the curl package. |
@mweinelt Yes, I'm still happy to maintain it. I can test these changes on NixOS and macOS – I know I've been quite lax in doing my duties here, so I'm interested to know if there are any requirements/suggestions for actions maintainers need to take so I can start contributing more proactively. |
Should now enable http 3 support by default? |
If it still requires the patched openssl I am not sure if we should. |
It would be nice if you could update curl when a new version is out and add patches when CVEs are known. Also there are other topics like http3 which need some attention. Also it would be nice if not literally everything would be rebuild when changing curl but I am not sure how realistic that is. |
Patch is based on this PR - openssl/openssl#8797 |
I don't know. Is http3 support important at this time? I think it is pretty safe to assume that all websites support at least http1.1 or http2 in addition to http3 at this time. If someone else wants to make the call feel free but I don't want to block openssl security fixes by using a fork just for http3 support. |
All security updates for OpenSSL can be applied to Quictls: |
Did anyone test the two Darwin platforms? Or are we going to be in for a surprise when this hits staging-next? |
I don't mix security updates with enabling features. Feel free to create another PR for that. |
I didn't because I had no hope that ofborg could build the stdenv before timing out. (Yes darwin has curl in its stdenv....) @NixOS/darwin-maintainers |
I have tested both x86_64-darwin and aarch64-darwin – the build failed for me on aarch64-darwin. |
Looks like it failed on the build of
|
I'm happy to update the |
I got that same failure on |
After you mentioned it I had a look and I was quite confused to find out darwin stdenv has curl in it, and in stage 1 even. I found a related issue #9655, which look at the resulting stdenv, but the closure for building the various stages is even bigger, it even includes python3. I had a look at the PRs in the repo and there's 1281 PRs with the |
The |
Can confirm they fail before this PR. |
Am trying to get the contents of that file |
Bisect claims 85f5539
|
Should be fixed upstream as pycurl/pycurl@d47c68b |
Proposed possible fix for pycurl as #171098 |
|
@risicle debugged the failure in that other PR and it turned out to be a machine specific issue, I ran the curl build from this PR again on a different |
@uri-canva builds for me on |
https://curl.se/changes.html#7_83_0
https://curl.se/docs/CVE-2022-22576.html
https://curl.se/docs/CVE-2022-27774.html
https://curl.se/docs/CVE-2022-27775.html
https://curl.se/docs/CVE-2022-27776.html
Fixes: CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776
Description of changes
Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)nixos/doc/manual/md-to-db.sh
to update generated release notes